Malware classification using image representation

Abstract

In the recent years, there has been a rapid rise in the number of files submitted to anti-virus companies for analysis. It has become very difficult to analyse the functionality of each file manually. Malware developers have been highly successful in evading signature-based detection techniques. Most of the prevailing static analysis techniques involve a tool to parse the executable, and extract features or signatures. Most of the dynamic analysis techniques involve the binary file to be run in a sand-boxed environment to examine its behaviour. This can be easily thwarted by hiding the malicious activities of the file if it is being run inside a virtual environment. Hence, there has been a need to explore new approaches to overcome the limitations of static or dynamic analysis such as time intensity, resource consumption, scalability. In this paper, we have explored a new technique to represent malware as images. We have used 37, 374 samples belonging to 22 families and then applied deep neural network architectures such as ResNet-50 architecture including a dense Convolutional Neural Network (CNN) for classifying images. By converting the executable into an image representation, we have made our analysis process free from the problems faced by standard static and dynamic analyses. With our models, we have been able to get an accuracy of 98.98%, and 99.40% in classifying malware samples by using deep CNN, and ResNet-50 respectively on our dataset. In this paper, we have also compared the results of our proposed model on our collected dataset with the results obtained on publically available datasets like Malimg having 9,339 samples belonging to 25 families. We also present our findings on the limitation of this method through experimentation on packed and previously unseen classes of malware.